When researchers say they’ve found a vulnerability in WPA2 (WiFi Protected Access) security standard, wireless LAN administrators stand up and take notice. Md. Sohail Ahmad, a researcher with wireless security vendor Airtight Networks, presented a WPA2 vulnerability dubbed Hole 196 at Black Hat yesterday and DEFCON 18 this weekend.
Details on the vulnerability remain somewhat fuzzy, but the Wi-Fi Alliance says Hole 196 appears to be a wireless version of ARP spoofing, the exploit in Address Resolution Protocol that allows hackers to perpetrate man-in-the-middle attacks.
Matthew Gast, chairman of the Wi-Fi Alliance’s Security Task Group (and director of product management for Aerohive Networks), said Hole 196 is an exploit that only authorized network users can use to bypass WPA2 encryption.
An insider on the network can set up a hack to trick a client into perceiving the hacker’s client devices as an access point. The victim will send its data to the hacker, who can observe it while forwarding it on to the access point.
“Since this is a vulnerability that’s been around since the beginning of Ethernet, network admins are already accustomed to dealing with it,” Gast said.
Gast said network performance monitoring can detect the latency caused by the extra hops associated with the attack. Also, network admins can enable the client isolation filter found on most LAN infrastructure, which won’t be fooled by an ARP spoofing attack. An AP will look directly at the destination MAC address, recognize the problem and cut the connection. The victim’s client device will immediately experience a loss of connectivity. The user will call help desk and it’s only a matter of time before a network admin tracks down the MAC address of the hacker.
When I set out to write about Cisco’s new CCIE Emeritus program a few weeks ago, I spoke to three CCIE-certified engineers, all at different stages of their career, to get a variety of perspectives on the program. CCIE Emeritus is a program for CCIE-certified engineers who are no longer working closely with networking technology on a daily basis and don’t have the up-to-date technical skills required for passing the biannual recertification exam. Instead, if they’ve been in the CCIE program for at least 10 years, they can opt into the Emeritus program, which allows them to maintain a connection to the CCIE program without being fully certified. Instead, they demonstrate that they’ve taken on more of a leadership role in the industry, as technology executives, authors, lecturers or mentors. they keep the CCIE badge on their resumes, but potential employers know that these people are no longer living in the network on a daily basis. Instead they’ve advanced into other types of careers.
Mostly the engineers I talked to thought it was a nice option for Cisco to offer to people and they could see scenarios in which going in this Emeritus program would work for them. No one seemed to object to it.
However, i got some reader feedback recently that presented a different view. Robert DuBell (CCIE#9105), a consulting systems engineer with World Wide Technology Inc., had this to say:
The written recertification test is definitely not a “hands on” test like the lab is. The written test can purely be passed simply by studying the material written in the study material listed on the Cisco CCIE written prep suggestions. You don’t have to be in the CLI all day every day in order to complete the recertification. Simply spend a few hours of your free time studying the proper material and you can recert. If you want to keep your CCIE valid, then you should have no problem keeping up with the technology.
Just because you have moved into a management position does not mean you should let your knowledge of cutting edge technology slip! I have completed the recertification test four times and I have taken different track tests to broaden my working knowledge of the different technologies. I think I have done the Routing and Switching CCIE recert test once since achieving my CCIE.
The CCIE is the best cert out there because Cisco has not given into rules changes on how they run their program. I think this is a shame that they have given into the CIOs and PMs [product managers] so they can keep their number active.
HP Networking recently posted this handy little warranty chart (PDF) to help customers understand the warranties on all its products, both the old ProCurve-branded gear and the recently acquired H3C and TippingPoint products that came over in the 3Com acquisition.
Historically, the major appeal of the HP ProCurve line was its low total cost of ownership. The lifetime warranty that HP applied to most of the ProCurve products was very straightforward. You buy it, we guarantee the thing will work for as long as you own it and will provide technical support forever. No need for expensive support contracts. I’ve heard from more than one network manager who said they switched from Cisco to HP ProCurve because the lower TCO was too tempting to pass up.
When HP bought 3Com and its young but promising sub-brand of H3C, it was hard to imagine that all of the high end 3Com products would find their way under the umbrella of HP’s lifetime warranty approach. And judging from this chart, that’s exactly the case.
You’ll find that the fixed-configuration H3C switches have been moved into the lifetime warranty program, including the A5810, A5800, A5500, A3600 and A3100 switches (Back in their H3C days, these switches started with the letter “S” rather than “A”).
The modular H3C switches are a different story. The big A12500 and A9500 chassis switches and the smaller A7500 and A5820 modular switches all have one-year warranties, with lifetime software and OS maintenance coverage and one year of free technical support.
The 3Com fixed-configuration switches, such as the E5500, E4800G, E4500G and E4200G are all covered under the lifetime warranty.
It looks like most of the TippingPoint network security products (IPS appliances, gateways and firewalls) will have one-year warranties.
Some folks worried that the old ProCurve lifetime warranty would disappear with the 3Com acquisition. It appears to remain in effect for the most part. It’s just not as broad as it used to be.
Gartner’s 2010 Magic Quadrant for network access control (NAC) is remarkably crowded for a market that reportedly generated just $200 million in annual revenue in 2009. Gartner has included 18 vendors in this year’s quadrant. For many of these companies, NAC revenue is a drop in the bucket. For others, NAC revenue is everything (Bradford Networks, ForeScout, Avenda Systems, InfoExpress, Impulse Point, Nevis Networks). How the heck are they all making enough money to stay in the NAC business?
Gartner says that NAC gets a bad wrap because it’s not generating a ton of revenue and many vendors have disappeared. The most recent exit was ConSentry Networks, which mysteriously still has a live website even though it went out of business in August 2009. But enterprises are using NAC. Guest access is a hugely popular use case, and Gartner believes the “consumerization” of IT will only drive up NAC adoption. With end users bringing personal devices into work, enterprises will need to provide secure access to them.
Gartner is actually projecting a flat market for NAC in 2010, with no revenue growth. Total adoption of NAC is increasing but the revenue is flat because many vendors are offering NAC as part of a larger product or service. As we first pointed out while covering the first NAC Magic Quadrant a year ago, There are the infrastructure vendors like Cisco, Juniper, Enterasys, HP and Avaya, who embed NAC in their switching or security products. There are endpoint security and network security vendors like McAfee, Sophos, Symantec, Check Point Software, who bundle NAC in their products. The indie vendors have to compete against all these guys, many of whom might throw in NAC for free just to close a deal on some switches or some malware protection software. (Does anyone remember how popular Netscape Navigator was before Microsoft decided to bundle Internet Explorer with Windows for free?)
So what does this crowded quadrant look like?
Cisco and Juniper stand alone here. These are the companies who have both excellent technological vision and the ability to deliver on that vision to their customers. Symantec, a leader last year, was bumped into the challenger quadrant because its guess access capabilities are weak. Gartner kept Cisco in the leaders’ spot even though it says Cisco’s NAC solution is too complex and expensive. Gartner noted many Cisco customers have turned to NAC competitors recently. However, Gartner gave Cisco points for its roadmap, noting that the company will release a new line of NAC appliances later this year that consolidates many of the functions that were spread out over too many products. Gartner complimented Juniper for its early embrace of the Trusted Computing Group‘s protocols for NAC interoperability and its IF-MAP specification.
These are the companies that have the ability to close deals but whose technological vision needs a little refinement. As mentioned above, Symantec got bumped from into here for a poor approach to guest networking, which many industry observers see as a major use case for NAC. The only other vendor here is Sophos lost points because its NAC Advanced product, the high end choice of its two NAC products, requires agent software separate from its endpoint protection agent. Its counterparts (McAfee and Symantec) have integrated their NAC products into their overall endpoint protection agents.
These are the companies who are leading the market in terms of what they are doing with their technology but don’t have the robust sales, marketing and support capabilities required for closing deals against bigger companies. Here we find McAfee, the other major endpoint protection vendor in the space, along with NAC specialists ForeScout, Bradford Networks and Avenda Systems. Avenda is new to the MQ, it’s just four years old. Gartner gave it high marks for its embrace of interoperability and its focus on guest access. Bradford scores high in these areas, too. ForeScout is known for being easy to use and having an out-of-band approach that allows companies to move from one use case to another easily.
The Niche Players
These are the companies that don’t stand out for either their technological vision or their ability to execute. There are ten vendors in this category, some with big names (HP and Avaya) and some with small names (Nevis Networks, Trustwave). Gartner says all these companies are valid options for NAC, many of them targeting their products to serve specific vertical industries.
OK, so all 18 vendors are valid NAC options for someone. But there are EIGHTEEN of them. That’s a lot of NAC. This has been the case since the very beginning. NAC vendors have come and gone, and yet the market stays crowded. Even the Great Recession failed to thin the herd by very much.
Cisco has been criticized for losing focus on its enterprise networking portfolio with random technology additions like the Flip camera. But Cisco’s move this week to expand its home and enterprise energy management portfolio is not such a loss of focus. In fact, it’s one that could move enterprises to serious cost savings in their power usage, as well as lend itself to developing a nationwide smart grid that actually works.
The problem is Cisco will have to step up its game in convincing networking engineers why they should add yet another item to their to-do list.
Cisco’s Connected Grid portfolio aims to build an IP network on top of utility smart grids to provide communication from inside the utility all the way to smart meters and even appliances and building systems inside homes and enterprises. As Cisco puts it, the network would connect from “the birth of the electron all the way to consumption.” Enterprises and residents alike could then receive constant notice of their power consumption so they could engage in controlling it on an ongoing basis. Utilities in turn would be able to better manage resources.
Cisco used its platform at Cisco Live 2010 this week to outline the expansion of its Smart Connected Buildings offering with new centralized management technology – the Building Mediator Manager 6300. The management technology allows enterprises to monitor energy consumption related to either facilities or IT. That’s especially crucial considering data center energy consumption is expected to grow five times every two years.
Speaking at Cisco Live, Dave Shroyer, senior controls engineer at NetApp, said his company integrated Building Mediator into its building facility controls, including lighting, HVAC and data center operations. NetApp also use it to monitor pricing signals from its utility, PG&E, and automate the lowering of power consumption at peak energy use times. When usage peaks, NetApp automatically dims its lights and reduces the air conditioning in its buildings, for a decrease of 1.1 Megawatts. Employees receive an email alerting them of the situation and Shroyer said he has had “all employee buy-in [with] no negative reaction at all.” The company has saved 18 million kWh and $2 Million in less than a year, for what amounts to a 30% power reduction annually.
Cisco will need to launch a campaign in which cases like this are clearly explained. That will be the only way of showing network managers that this technology is not a loss of focus, but an integral part of their future.
Gartner rolled out a new Magic Quadrant for Enterprise LAN this month and it looks remarkably similar to last year’s, even though Gartner itself acknowledges that the network switching industry is rapidly evolving.
For the uninitiated, the Magic Quadrant is Gartner’s graphical evaluation tool for the technology markets it covers. It breaks down the vendor landscape into four quadrants: Leaders, visionaries, challengers and niche players. Gartner evaluates vendors via two general criteria (which in turn contain a handful of sub-criteria). The evaluation criteria are “completeness of vision” (or how much Gartner likes the direction a vendor is going with its technology) and “ability to execute” (or how much Gartner believes a given vendor has the marketing, sales and engineering resources to deliver on their promises to customers). Leaders score high in both, challengers score high in execution, visionaries in vision. Niche players score relatively low in both.
The only major change to the quadrant this year is the entry of Juniper Networks, which has quickly established itself as a big-time player in the switching industry. Gartner has named Juniper a challenger in this year’s quadrant, when last year it didn’t even meet the revenue requirements for inclusion. Gartner praised Juniper for its strong history in networking (particularly in Layer 3 routing), its aggressive pricing and its strong, young portfolio of switches. Gartner cautioned that Juniper needs to continue expanding its product line and it needs to get more specific on how it’s going to address next generation data centers. Project Stratus remains relatively vague. Juniper also has no clear WLAN strategy, which is a concern since 60% of enterprises like to buy switches and WLAN products from the same vendor.
Cisco Systems and HP Networking remain leaders. Cisco still has the broadest portfolio of switches and WLAN products on the market. It’s introduced several innovations recently, such as StackPower (the ability to manage the power systems of a stack of Catalyst 3750s collectively) and its new NX-OS operating system for its new Nexus data center switches. However, Gartner says Cisco has been slow in executing a unified wired and wireless product line. Cisco has also left many customers confused about how data centers built with the Catalyst product line will be integrated into the Nexus line. Gartner also claims that customers continue to be critical of Cisco’s efforts in sales, engineering and support.
Gartner says HP’s acquisition of 3Com (a visionary in last year’s quadrant) has combined the number 2 and 3 vendors in the market into a single Tier 1 vendor that has transformed the market. Gartner says enterprises should now consider HP for all its networking needs when evaluating vendors. The lifetime hardware warranties and telephone support across most of its products lowers the TCO HP-built networks. However, Gartner warns that the integration of HP and 3Com will take time simply because the product lines are so big. And there is quite a bit of redundancy between the two vendors, which will cause some confusion. HP’s sales force is also relatively new to networking, which some enterprise networking pros might find as a turnoff if they’re used to buying network hardware from knowledgeable sales pros.
Brocade remains a visionary. Its combination of high-end switching and storage networking expertise bodes well for its vision for its data center strategy and Gartner says the customer support legacy of its Foundry Networks acquisition remains strong.
Extreme Networks, Enterasys/Siemens, and Alcatel Lucent remain niche players. Nortel (now Avaya) is also still a niche player. Force 10 Networks, which dropped off the the quadrant last year because of revenue, has not made its way back.
Although the quadrant looks very similar to last year’s, Gartner says that the networking market has transformed tremendously in the last year. Juniper and HP have established themselves as legitimate Tier 1 vendor alternatives to Cisco. The days of “Cisco and the seven dwarfs” are over. Brocade (with its Foundry acquisition) is strong in the data center, not so much in campus LAN.
Aside from the horse race aspect of the vendors, Gartner has also identified several key innovation trends that enterprises should follow closely to see how their vendors respond.
- IP Telephony: Gartner says vendors have varied in their commitment to integrating their network equipment with IP telephony vendors. Specifically, vendors who have their own IP telephony products haven’t been as aggressive in integrating their products with competitors’ IP telephony equipment to meet customer requirements.
- Security: Gartner says network access control (NAC) will be a mainstream requirement for enterprises within two years. It expects that switch vendors will start to embed NAC into their gear in the next couple years. Entersasys has been a leader in this area with its flow-based security technology.
- Evolving network cores: Here is where things are changing rapidly in the enterprise LAN market. With Gigabit Ethernet (GbE) server connections becoming common, low latency, wirespeed core switches with high-density 10 GbE ports are becoming a requirement. Vendors are racing to establish a leadership role here. Data center bridging, fibre channel over Ethernet (FCoE) and the convergence of storage and data on Ethernet are also going to become major disruptions to the market.
- Converged access: Gartner also notes that the drive to integrate wired and wireless networks will lead to the disappearance of the standalone wireless LAN controller. Vendors are integrating controller functionality into their switches. Those who don’t have their own WLAN product lines will be partnering with standalone WLAN vendors to make this happen
- Price: Gartner notes that the average gross margin on networking gear remains around 60% or 65%, which means there is a lot of room for vendors to come down on price in certain situations. Enterprises are more cost-conscious these days and they’re thinking more about the life cycle cost of the networks they build. This means they aren’t just interested in seeing vendors discount their products to win deals. They also want to know that managing and maintaining the networks they build won’t be too expensive.
Let’s face it: If you’re building counterfeit Cisco gear, it’s rather stupid to hand the stuff over to Cisco. Two alleged fraudsters in the Washington, D.C., area figured that out last week when the Feds charged them conspiracy to commit mail fraud and nine counts of mail fraud.
According to the U.S. Attorney’s Office for the Eastern District of Virginia, two brilliant criminals — (Robert Kendrick Chambliss, 36, of Henrico, Va., and Iheanyi Frank Chinasa, 38, of Gaithersburg, Md. — built phony Cisco gear, then complained to Cisco that the gear didn’t work. They then attempted to exchange the phony gear (or components of that phony gear) for legitimate products, which they probably planned to resell to someone. According to the FBI, these two guys tricked Cisco into giving them $27 million worth of products in exchange for the crap they built out of parts they probably bought from eBay and Radio Shack.
I assume that Cisco doesn’t just throw defective products in the garbage when they fulfill an exchange. It’s obvious that Cisco would want to figure out why $27 million worth of equipment is defective. So Cisco would probably hand the junk over to some forensic engineers who can take Cisco gear apart and reassemble it again with their eyes closed. How hard would it be for them to figure out that these jokers had bilked the company? “Hmm, this isn’t one of our ASICs. What’s going on here?”
This is equivalent to printing phony $100 bills, then complaining to the Treasury you aren’t happy with the quality of the printed bills and trying to exchange them for the real thing.
Network World this week published a brutal takedown of the network access control industry, called “NAC: What went wrong?” Consultant Joel Snyder wrote the article after spending four months lab testing the leading 12 NAC products. His conclusion? Five years of hype, new products, vendor launches, vendor collapses and standardization battles have produced a lot of smoke and not much else. The market is scattered, he says. All 12 top vendors are moving in 12 different directions.
Snyder writes that Cisco Systems in particular is guilty of going off the rails with NAC. Basically Cisco’s acquisition-happy ways has led to yet another case of two many cooks in the kitchen. Its acquisition of Perfigo, a vendor of a wireless access gateway product, evolved into the overlay product Cisco NAC Appliance. Meanwhile Cisco’s routing and switching business unit has built its own NAC product, Cisco Secure Access Control Server. If even Cisco can’t decide how to tackle the NAC market, how is an enterprise to figure out which direction to go.
Regardless of the failures of the NAC industry to truly catch fire, I continue to be amazed by the industry’s ability to continue supporting so many different vendors. Sure there are plenty of network infrastructure and network security vendors that can dabble in NAC as a side business. But there are still plenty of independent start-ups out there, too. They’re still trucking along, with few taking the next big leap to an IPO or a buyout. Occasionally you’ll see one go under, like ConSentry Networks, but the others insist they’re doing just fine.
Trusted Computing Group (TCG), the not-for-profit independent standards-body which promotes vendor-neutral NAC standards, has issued a response to Network World’s takedown with an email entitled “What’s Right with NAC?”
TCG cites a projection from Gartner that NAC will become a mature marketwithin two to five years (Gartner issued its first NAC Magic Quadrant last summer). TCG goes on to say: “Well, we agree with both Mr. Snyder at Network World and with [Gartner]. Certainly the path to NAC products has been neither short nor particularly easy, but today there are a lot of good products to choose from and people ARE using NAC successfully.”
Juniper Networks today unveiled it “3-2-1” architectural vision, also under an umbrella of technologies its dubbed the New Network. It’s a recipe for collapsing the data center network from three layers (access, aggregation and core) down to one. Step one, Juniper says, it collapsing down to just two tiers (access and core).
Juniper argues that most data center networks today devote too many ports in the network to connecting switches to switches. Instead, ports should mostly be connecting servers to servers in order to chop latency and reduce the number of network devices needed in a data center.
How does Juniper propose to solve this problem? Well, first Juniper wants enterprises to try flattening their networks to two tiers by ditching the aggregation layer in data centers. Enterprises today spend $1 billion out of $4.8 billion in annual data center switching dollars on aggregation switches, said Mike Banic, Juniper’s vice president of enterprise marketing, citing IDC research. That’s a lot of extra switches with a lot of extra man-hours spent managing them. Juniper argues that enterprises could do better by eliminating the aggregation layer, allow access layer switches to do all the switching between servers. Those access layer switches would only need to use their uplink ports for communications with the data center core and ultimately the campus LAN and WAN.
Juniper claims its Virtual Chassis technology is the key to this elimination of the aggregation layer. The Virtual Chassis technology is a software feature that allows multiple Juniper switches to act as — and be managed as — one single switch. Juniper has had the feature on the market for awhile now in its 1 Gigabit Ethernet EX4200 switches. By pooling multiple EX4200s into a virtual chassis, enterprises are able to eliminate aggregation switches and connect servers more directly together rather than sending packets up and down a three-tiered network.
Today Juniper extended this collapsed data center vision with several new products that should make this approach accessible to enterprises that want to upgrade from Gigabit servers to 10 Gigiabit servers.
- The EX4500 switch is a 48-port 10 Gigabit Ethernet, Layer 3 switch that will support converged enhanced Ethernet, data center bridging and Virtual Chassis technology. This switch will be available this month, but the converged fabric and Virtual Chassis features will be available in subsequent quarters.
- An EX8200 40XS, a 40-port 10 Gigabit Ethernet line card that will allow the EX8216 half-rack core chassis to scale up to 640 10 Gigabit ports. Juniper will also add its virtual chassis technology to the EX8200 switch series in 2011.
- Several new applications built on Junos Space, the open development platform Juniper introduced last year to allow the creation of specialized applications to be built right into the network hardware which runs the Junos operating system. These applications include Juniper Ethernet Design, an app that allows network managers to automate configuration and management of hundreds of switches
Juniper promises that down the road it will introduce additional products and technologies to further collapse data center network architecture from two layers down to one. This is the heart of what is promised in its still sketchy Project Stratus roadmap. There are still very few details about how exactly this single-tiered data center architecture will look. But Dhritiman Dasgupta, Juniper’s senior product marketing manager offered a decent preview while speaking on an Interop panel about the future of the data center network last month. He said:
The best network is the network that connects ports inside a switch,” he said. “It’s completely flat. Any port can talk to any other port. The ports share a consistent state. You can add line cards and it just scales seamlessly. If I could extend that to my data center network, that would be the best network to solve the challenges that virtualization brings.
Project Stratus gives you a network that is built like the inside of a switch. It extends that out to the entire data center network,” Dasgupta continued. “You can have hundreds of thousands of ports with tens of thousands of virtual machines at the end of each of these ports, all working together in harmony in one flat Layer 2 network. You process the packet once, and you have all the information you need to take it from point A to point B.
Carl Eschenbach, EVP of field operations, told IDG News Service that the media is making too much of its strategic alliance with EMC and Cisco Systems. VMware, he says, is an independent infrastructure software vendor that plays nicely with Dell, HP, IBM et al. “We treat everyone equally,” he said.
VMware, Cisco and EMC formed the VCE (Virtual Computing Environment) coalition late last year, which introduced the vbBlock Infrastructure Package, a modular data center package that’s supposed to power cloud computing. It consists of fully integrated and validated bundles of software, servers, storage and network gear. I guess Eschenbach thinks we, the media, are making too much out of the VCE coalition. But how can you avoid hyping a strategic relationship between the world’s biggest virtualization vendor, the world’s biggest storage vendor and the world’s biggest networking vendor?
And besides, VMware has more than a strategic relationship with these two companies. EMC owns 80% of VMware. In 2007, Cisco bought its own stake in the company. Yes, Cisco owns just 1.5% of VMware, but that’s probably about 100% more of an ownership stake than any VMware customer currently holds.
VMware has done a good job of staying vendor agnostic, which is important since enterprises want to be able to run a hypervisor on whatever hardware they have in their server racks. But tight relationships with partners (and part owners) will continue to be a fact of life. VMware faces some serious competition in the future from Citrix Xen and Microsoft’s Hyper V. At Interop last month, consultant Jim Metzler, of Ashton Metzler & Associates, surveyed attendees by show of hands during a panel session on virtualized application delivery appliances. First he asked attendees whether they were currently VMware shops. Nearly all of them raised their hands. Then he asked them if they expected VMware to be the only hypervisor vendor in their data center two or three years from now. No one raised a hand.
A future is coming where VMware won’t be the de facto hypervisor in data centers. How will VMware hold onto market share when Microsoft is giving away Hyper V? Advanced and innovative features and functionality is one answer. Another answer is continued strategic partnerships with key vendors, like EMC and Cisco.